Two-Thirds of Banks Hit by DDoS Attacks in Past Twelve Months

By now most everyone is aware of the Distributed Denial of Service (DDoS) attack campaign targeting nearly a dozen major U.S. banking websites since last fall, but many will be surprised to learn how big a problem DDoS attacks really are for the financial sector. A new study conducted by the Ponemon Institute on behalf of network security provider Corero has found that the majority of banks acknowledge they were subjected to denial of service attacks in the last year, while nearly half indicated they were targeted on more than one occasion.

The study, which included 650 security practitioners from 351 banks around the world, reveals that 64% have been targeted by at least one DDoS attack in the last twelve months, while 48% reported being the subject of multiple attacks.

“It really comes as no surprise that DDoS attacks are one of the most severe security risks cited by the banking industry and these results clearly demonstrate the level to which they are being targeted on a continued basis,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

Key findings in the report from Ponemon and Corero include:

There is more confidence in the ability to detect than prevent DDoS attacks. Although the majority of respondents do not believe they are effective in detecting and preventing DDoS attacks, there is more confidence in their ability to detect these attacks.

The majority of retail banks surveyed had a DDoS attack. Sixty-four percent of respondents say their organization had a DDoS in the past 12 months. We estimate that on average the retail banks in this study had 2.8 such attacks in the past 12 months.

Diminished productivity of the bank’s IT staff is by far the worst consequence of a DDoS attack. Respondents in this study are concerned about the time and effort required to respond to these attacks. This is followed by reputation damage, which is critical to maintaining the loyalty of customers and diminished productivity for end users.

Zero day attacks and denial of service attacks are considered the most severe security threats to retail banks. The least severe is the loss or theft of employee computers and malicious insiders.

A lack of resources threatens retail banks’ ability to deal with DDoS attacks. While there is no strong consensus about the most critical barrier to preventing DDoS attacks, insufficient personnel and in-house expertise and inadequate technologies seem to be the most serious concerns. These barriers are followed by insufficient budget.

Traditional firewalls and on-premises anti-DDoS technologies are the most popular to prevent and detect these attacks. These are followed by intrusion detection and prevention and anti-virus technologies.

The threat of DDoS attacks is not improving. Forty-three percent of respondents expect the attacks will either significantly increase or increase. Thirty-five percent expect the threat will stay the same. Only 22 percent expect any decrease in these attacks.

IT respondents acknowledge that the DDoS threat is not abating. However, only 30 percent are planning to purchase an anti-DDoS technology in the next 6 to 12 months.

The headline-making DDoS attacks against the financial sector that began in mid-September of 2012 are being claimed by a group called the Izz ad-Din al-Qassam Cyber Fighters, and have resulted in intermittent downtime for the online banking sites of U.S. Bancorp, JPMorgan Chase, Bank of America, PNC Financial Services Group, SunTrust, HSBC, Ally Bank, BB&T, Wells Fargo and Capital One.

While the group maintains that the attacks are being conducted in protest of a controversial YouTube video, others suspect that the operation may actually be a diversionary tactic to occupy the attention of security staff in order to facilitate fraudulent wire transfers by an unidentified criminal syndicate. The Office of the Comptroller of the Currency (OCC) issued an advisory in December to that effect, which reiterated earlier warnings from the Financial Services – Information Sharing and Analysis Center FS-ISAC, the FBI and IC3.

“When such an attack occurs, the time and efforts of IT staff are devoted to dealing with the problem instead of managing other IT operational and security priorities. This leaves financial institutions open to more dangerous attacks that further compromise their infrastructure," Ponemon said.

Organizations across multiple sectors are relying on traditional perimeter security technologies to thwart DDoS and other attack methods, with 35% of the survey respondents indicating that a network firewall is their main mode of defense. But having a firewall in place does not guarantee that malicious traffic will be filtered out before it reaches the targeted network, and these organizations may have "a false sense of security,” according to Marty Meyer, President of Corero.

“Many Organizations assume traditional firewalls can provide protection against DDoS and Zero-Day exploits at the perimeter, yet this is not what they were designed to do and therefore attacks are still getting through," Meyer said. "Organizations need to add First Line of Defense solutions that can provide this protection and are able to remove all of the ‘noise’ at the perimeter before it hits the network so that firewalls and servers can optimally work on the functions they were originally designed for."

Organizations concerned about their own potential exposure to DDoS attacks are encouraged to take a free DDoS preparedness assessment test which provides a customized evaluation and subsequent recommendations based on answers to a short questionnaire. The DDoS assessment can be conducted in a matter of minutes by following the instructions here: DDoS Preparedness Test.

Share this post:

You May Also Be Interested In:

Anthony M. Freed is an information security journalist and editor who has authored numerous feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets, including The New York Times, Reuters, The Register, Financial Times of London, MSNBC, Fox News, PC/IT/Computer/Tech World, eWeek, SC Magazine, CSO Magazine, Federal News Radio, The Herald-Tribune, Naked Security, and many more. Anthony was the Managing Editor of Infosec Island, an online community designed for IT and network professionals who manage security, risk and compliance issues.